Posted
by
samzenpus
on Thursday June 28, 2012 @04:36AM
from the come-on-in dept.

judgecorp writes "UK Universities have been found using weak SSL security implementations on their websites. An investigation by TechWeekEurope found 17 of the top 50 British universities scored C or worse on the SSL Labs tool launched by the Trustworthy Internet Movement earlier this year, which grades SSL security. Contacted by the site, most have put upgrades in place to improve security."

In the end, Unis don't want web services to be their core business.Where once Sysadmins managed the web, now it is run by project managers,consultants, standardised, virtualised, outsourced or offshored.The nerds get marginalised and the job gets dumbed down.Quality falls, hilarity ensues. Everybody dies.

The start of WarGames... let's see IIRC... Mr. Blonde nearly ended Leo McGarry because he didn't want to press the Big Red Button®... and it turned out the launch command was just an exercise, so it's a good thing Mr. McGarry had a conscience and didn't end the world, but they replaced all the silo monkeys with old blinking light props from Star Trek anyway, which set the stage for Skynet, the A.I. created by Cyberdyne Systems for SAC-NORAD, which we find out the following year regarded all humans as a

You don't need to recompile anything. Just modified your Apache config to turn on SSLHonorCipherOrder and select which ciphersuites to use.
SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL

This is hilarious. "Weak SSL Security Settings" is what pentesters write to pad out their report when they run out of useful findings. Universities have the poorest computer security of any type of organisation, period. Now, there are a lot of reasons for that - one of which is the inherent conflict between running an "open" network and keeping things secure. But if "poor SSL security settings" is the worst security issue a uni has, they are doing incredibly well.

Weak SSL security is something you exploit if a) you're a government, or b) you're screwing around with people in a coffee shop. Most of the published attacks are academic, and the only tool people regularly use is sslstrip or attacks along those lines. Hell, most users click through certificate warnings anyway.

But hey, even though SSL is "not usually the actual problem", these things should be fixed. If you want to test your own site, head over to: https://www.ssllabs.com/ssltest/index.html and plug in your domain name. If you're just running a "1 apache site", that satisfying green bar or "A grade" is just a few config stanzas and a restart away.

That's because of the VeriSign/Thawte racket. They charge money for no work. According to SSL design, any certificate is supposed to undergo more checking that they currently do for EV certs. Since the CAs are not going to actually do the checking, it is time to move to DNSSEC-based signatures, which are strictly better than the present state. Even if the CAs themselves would be perfectly secure, they sell certificates to anyone who can read mail sent to the given domain, and if you can set DNSSEC, you

I got a 5-year cert from GoDaddy for $50. It's really not that much if you've bothered to have an SSL port exposed to the world. It scores "A" on that site and doesn't produce any kind of cert warning in any browser that I know of (and Opera is particularly fussy about SSL certs).

Beyond that, a number of SSL suppliers give out free certs now for the lower end (not saying you'd score "A" but they probably wouldn't error out in most browsers and would give you a basic "padlock").

IIRC if you only need one domain on the cert then startssl will do it for free. If you want wildcards or multiple names on the cert then you will have to pay a bit but IIRC it's not horiffically expensive.

These are open websites, no confidential information, it is just a public facing system

Like people "hacking the FBI" it is meaningless to have access to a website that only provides information, you already have the information before you hacked it...

This is security company scanning websites that don't care and finding they are "insecure" according to their own tool......most of these tools have scary warnings that a system is insecure "in flashing bright red letters" for very minor and largely irreleva

That's fine and dandy. But each of the "more info" links goes to a blog posting that discusses the topic just a little bit, and only one of them provides enough information to fix it. Thankfully our sites aren't handling financial transactions of any kind, or I might have to actually locate a fix... how is everyone else fixing this (esp. the renegotiation vulnerability) if there's nothing

Doing research requires setting up a lot of one-off services, like a logbook, wiki, etc. Getting correct certificates for these things is a pain, and it's just not done. So users end up having to accept a large number of self-signed certificates, and bypass the annoying warnings in Firefox. SSL seems to have been designed for large shopping websites, while temporary and small-time web sites / services can't use it effectively. Using a self-signed certificate is much better than not encrypting data, as it prevents snooping in most cases (except for MITM attacks), so this is done. It would be good if browsers adopted a model more similar to SSH's "known_hosts", where there was a simple prompt for first-time visits to sites with unknown self-signed certificates, and the certificate was saved. They could reserve the ridiculous end-of-the-world warnings (like they show currently) for when the certificate changed unexpectedly. People should probably never use short expiry dates for self-signed certificate (unless they set up a CA)

Unfortunately that's not the end of it. I recently found out my alma mater uses software to manage the alumni records from a company called Blackbaud. The software includes a website that alumni can use to keep the university up to date with their contact details, find out about events and hunt down old classmates. The engineers at Blackbaud in their infinite wisdom chose to store passwords in a recoverable format. I nearly flipped when I did a password recovery a few weeks back and was sent my actual pa